Security Testing

SaaS (M365, Google Workspace)

Expert configuration review of your Microsoft 365 or Google Workspace tenant — identity, sharing and mail security checked against best practice.

Your Microsoft 365 or Google Workspace tenant holds your email, your files, your calendars and your identities — which makes it the single most attacked asset most organisations own. A Microsoft 365 security review (or its Google Workspace equivalent) examines how your tenant is actually configured, against CIS Benchmarks and vendor best practice, before an attacker finds the gap first.

These platforms ship with hundreds of security settings, and the defaults are chosen for adoption, not protection. Our consultants review the areas that decide whether a tenant compromise happens: identity and access — MFA coverage, conditional access, legacy authentication, privileged role sprawl; sharing and collaboration — external sharing defaults, guest access, anonymous links; and mail security — anti-phishing and anti-spoofing controls including SPF, DKIM and DMARC, forwarding rules and transport policies.

What a Microsoft 365 security review covers

Beyond the headline areas, the review examines application permissions and third-party OAuth grants — a quietly growing attack vector — plus device access policies, audit logging coverage and data retention. Findings are prioritised by impact and likelihood, so a disabled audit log or an admin account without MFA is never buried beneath cosmetic observations.

The review is delivered through Sentry: scoped via questionnaire and call, evidence gathered through read-only reviewer access, findings raised as they are identified, and a prioritised report with clear remediation guidance followed by a debrief. Most tenant fixes are configuration changes rather than purchases, which makes this one of the fastest ways to measurably harden your organisation.

A tenant review pairs naturally with our phishing, smishing and vishing assessments — one hardens the platform that receives the attack, the other measures how your people respond to it. And because tenants drift as admins come and go, an annual review with continuous vulnerability management in between keeps the assurance current.

What you get

M365 and Google Workspace

Both major productivity platforms reviewed against CIS Benchmarks and vendor best practice.

Identity first

MFA coverage, conditional access, legacy authentication and privileged roles — the settings that decide tenant compromises.

Sharing and mail security

External sharing, guest access, SPF, DKIM, DMARC and forwarding rules checked and prioritised.

OAuth and app permissions

Third-party application grants reviewed — the attack vector most tenants have never audited.

Fast, high-return fixes

Most findings are settings changes, not purchases — measurable hardening within days of the debrief.

How it works

  1. 01

    Scoping

    A short questionnaire and scoping call confirm the platforms, tenants or devices in scope and the standards that matter to you. You receive a clear Statement of Work and your project is created in Sentry.

  2. 02

    Evidence gathering

    We arrange read-only access or configuration exports, along with architecture diagrams and relevant policies. Nothing is changed in your environment.

  3. 03

    Expert review

    A consultant assesses your configuration against CIS Benchmarks and vendor best practice, prioritising findings by impact and likelihood. Findings are raised in Sentry as they are identified, not weeks later.

  4. 04

    Report and debrief

    You receive a prioritised report with clear remediation guidance and a debrief session with your consultant. Findings stay in Sentry so you can track fixes and compare future reviews.

Frequently asked questions

Straight answers to what prospective clients ask us most.

What does the review cover?

Identity and access (MFA, conditional access, legacy authentication, privileged roles), sharing and guest access, mail security (including SPF, DKIM and DMARC), application permissions and OAuth grants, device policies and audit logging — prioritised by real-world impact.

What access do you need to our tenant?

Read-only reviewer roles — both Microsoft 365 and Google Workspace provide built-in roles suitable for exactly this. We never need write access, and we guide you through granting and revoking it.

We check our secure score regularly — is that enough?

Platform scores are a useful signal, but they weight settings generically and cannot judge your context. An expert review prioritises what matters for your organisation, catches issues scores miss — such as risky OAuth grants and forwarding rules — and gives you defensible evidence for auditors.

How often should we review our tenant?

Annually as a baseline, and after significant changes such as migrations, mergers or admin turnover. Tenants drift constantly, so many clients pair the annual review with our continuous vulnerability management service.

Ready to talk about saas (m365, google workspace)?

Get a fixed-scope quote, usually the same working day.